detection.wiki

Detection rules › Splunk

Kerberos Service Ticket Request Using RC4 Encryption

Author
Mauricio Velazco, Splunk
Source
upstream

The following analytic detects Kerberos service ticket requests using RC4 encryption, leveraging Kerberos Event 4769. This method identifies potential Golden Ticket attacks, where adversaries forge Kerberos Granting Tickets (TGT) using the Krbtgt account NTLM password hash to gain unrestricted access to an Active Directory environment. Monitoring for RC4 encryption usage is significant as it is rare in modern networks, indicating possible malicious activity. If confirmed malicious, attackers could move laterally and execute code on remote systems, compromising the entire network. Note: This detection may be bypassed if attackers use the AES key instead of the NTLM hash.

MITRE ATT&CK coverage

TacticTechniques
Credential AccessT1558.001 Steal or Forge Kerberos Tickets: Golden Ticket

Event coverage

ProviderEvent IDTitle
Security-Auditing4769A Kerberos service ticket was requested.

Stages and Predicates

Stage 1: search

search (TicketOptions=0x40800000 OR TicketOptions=0x40810000 OR TicketOptions=0x40810010) EventCode=4769 ServiceName="*$" TicketEncryptionType=0x17

Stage 2: stats

stats BY dest, service, service_id, TicketEncryptionType, TicketOptions

Stage 3: search

search

Stage 4: search

search

Stage 5: search

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
EventCodeeq
  • 4769 corpus 6 (splunk 6)
ServiceNameeq
  • "*$" corpus 2 (splunk 2)
TicketEncryptionTypeeq
  • 0x17 corpus 7 (splunk 4, sigma 3)
TicketOptionseq
  • 0x40800000 corpus 2 (splunk 2)
  • 0x40810000 corpus 3 (splunk 2, sigma 1)
  • 0x40810010 corpus 2 (splunk 2)

Neighbors

Broader alternatives (more inclusive than this rule)

These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.